Merge pull request #1143 from nassima17/cti/add-uat9921-voidlink

new: [threat-actor] Add UAT-9921 (VoidLink operator  China Nexus)

Author: adulau

README.md

@@ -703,7 +703,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *940* elements
+Category: *actor* - source: *MISP Project* - total: *941* elements
 
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 

clusters/threat-actor.json

@@ -19796,6 +19796,22 @@
       },
       "uuid": "2462885d-f49e-4731-a163-da704e50aca7",
       "value": "CL-STA-1009"
+    },
+    {
+      "description": "UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://blog.talosintelligence.com/voidlink/",
+          "https://isovalent.com/blog/post/voidlink-cloud-malware-detection/"
+        ],
+        "synonyms": [
+          "UAT-9921",
+          "VoidLink Operator"
+        ]
+      },
+      "uuid": "d2c1b9a8-e3f4-4123-a567-b8c9d0e1f2a3",
+      "value": "UAT-9921"
     }
   ],
   "version": 337